01-30-2018 08:48 PM
Hi, I'm doing a ISE POV for my customer with BYOD as one of the feature to demo. "Secure access configuration for the network failed" error was returned on the network setup assistance application (with screenshot below). I've checked on the certificate store on Windows, ISE's CA self-signed cert was pushed down but not the User Cert.
spwProfileLog file shows as below, indicating that the NSP process failed to configure the device due to certificate installation failure. However it works fine on Android mobile phone.
Appreciate if anyone can shed some light to this..
Solved! Go to Solution.
02-04-2018 08:01 AM
Thanks @hslai ! I managed to dig into ISE debug logs, where I found these logs and resolve the problem by replacing ISE root CA certificate chain.
2018-02-02 15:48:06,365 DEBUG [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.cpm.provisioning.cert.CertProvisioningFactory -::::- Found incoming certifcate request for internal CA. Increasing Cert Request counter.
2018-02-02 15:48:06,368 INFO [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.epm.pdp.cache.CacheUtil -::::- before casting object to transaction
2018-02-02 15:48:06,368 INFO [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.epm.pdp.cache.CacheUtil -::::- object is an instance of TransactionInfo
2018-02-02 15:48:06,368 INFO [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.epm.pdp.cache.CacheUtil -::::- after casting object to transaction inside loop 0
2018-02-02 15:48:06,368 INFO [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.mnt.dbms.handler.DataSourceReInitializingHandler -::::- object is an instance of TransactionInfo
2018-02-02 15:48:06,379 DEBUG [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.cpm.provisioning.cert.CertProvisioningFactory -::::- Key type is RSA, retrieving ScepCertRequestProcessor for caProfileName=ISE Internal CA
2018-02-02 15:48:06,379 DEBUG [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.cpm.provisioning.cert.CertRequestValidator -::::- Session user has been set to = srv_isepoc
2018-02-02 15:48:06,379 WARN [https-jsse-nio-172.25.89.244-8443-exec-10][] com.cisco.cpm.scep.ScepCertRequestProcessor -::::- No live PKI server found for certificate request [C=US,ST=State,L=City,O=Company name,OU=Example unit,CN=srv_isepoc]
01-31-2018 04:53 PM
Your log file looks like ISE not issuing the client certificate but we won't know more until looking at the ISE debug logs with pertinent components in DEBUG. It's best for you to engage Cisco TAC to troubleshoot. Else, you may take a look at the existing ISE dCloud labs and try your clients there.
Attached is a spwProfileLog.txt from a Win-7 client successfully performed a BYOD on its wired connection (MAB -> CWA -> BYOD -> EAP-TLS).
02-04-2018 08:01 AM
Thanks @hslai ! I managed to dig into ISE debug logs, where I found these logs and resolve the problem by replacing ISE root CA certificate chain.
2018-02-02 15:48:06,365 DEBUG [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.cpm.provisioning.cert.CertProvisioningFactory -::::- Found incoming certifcate request for internal CA. Increasing Cert Request counter.
2018-02-02 15:48:06,368 INFO [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.epm.pdp.cache.CacheUtil -::::- before casting object to transaction
2018-02-02 15:48:06,368 INFO [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.epm.pdp.cache.CacheUtil -::::- object is an instance of TransactionInfo
2018-02-02 15:48:06,368 INFO [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.epm.pdp.cache.CacheUtil -::::- after casting object to transaction inside loop 0
2018-02-02 15:48:06,368 INFO [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.mnt.dbms.handler.DataSourceReInitializingHandler -::::- object is an instance of TransactionInfo
2018-02-02 15:48:06,379 DEBUG [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.cpm.provisioning.cert.CertProvisioningFactory -::::- Key type is RSA, retrieving ScepCertRequestProcessor for caProfileName=ISE Internal CA
2018-02-02 15:48:06,379 DEBUG [https-jsse-nio-172.25.89.244-8443-exec-10][] cisco.cpm.provisioning.cert.CertRequestValidator -::::- Session user has been set to = srv_isepoc
2018-02-02 15:48:06,379 WARN [https-jsse-nio-172.25.89.244-8443-exec-10][] com.cisco.cpm.scep.ScepCertRequestProcessor -::::- No live PKI server found for certificate request [C=US,ST=State,L=City,O=Company name,OU=Example unit,CN=srv_isepoc]
02-04-2018 08:14 AM
I am glad it now working for you. Thanks a lot for the update.
04-01-2020 12:59 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide